On Sat, 2003-05-03 at 10:27, Paul wrote:
> First off, my opinion on GUI firewalls, youre adding
> more processes to a firewall then what is needed. A
> true firewall should have the least amt of processes
> installed/running on it all the time.
That's very true, but a good GUI like fwbuilder doesn't have to run on
the fw itself - in fact it shouldn't. It can be run on your local
machine, and the script that it generates can then be pushed out to the
actual fw which doesn't need to have any additional stuff on it at all.
In the case of fwbuilder, you can also use it to migrate relatively
painlessly from one type of fw to another. Because the NAT and policy
rules are stored by fwbuilder in its own XML format that's separate from
the actual output script generated for whatever software your fw is
running, you can take the same ruleset and output it for ipchains, or
iptables, or whatever you need at the time.
> What id suggest is make a really simple script like i
> did.
> its actually quite simple.
In simple scenarios, yes, but thing's aren't always that easy. For eg, I
manage a number of firewalls on our network using fwbuilder, and a
little while ago I printed out the iptables script generated for one of
them, and the script was 32 pages long. When you've got a network that's
less trivial than a couple of boxes on a DSL connection, a good GUI can
help you keep track of what's going where.
Cheers
Jonathan